CVE-2009-2463: Mozilla Firefox/Thunderbird Base64 Integer Overflows

This bug was reported by monarch2020 and disclosed on 21 July 2009 by Mozilla. The issue affects specifically the Base64 routines in Mozilla Firefox prior to 3.0.12 release. This code can be found at nsprpub/lib/libc/src/base64.c of 3.0.11 release of Firefox like this.

So, the above encoding routine uses PL_strlen() to retrieve the length of ‘src’ string value. However, strlen() returns size_t which in some architectures is defined as unsigned long. This might lead to truncation on some 64-bit systems since ‘srclen’ is always 32-bit long, unsigned integer as you can read from the above routine. In addition to this, another bug is present in the second if clause. Here, the calculation of ‘destlen’ can easily result into an integer overflow and consequently to heap memory corruption. Both bugs were fixed by applying this patch:

Now, a temporary variable ‘len’ of size_t type is used to detect possible truncations in 32-bit long integer ‘srclen’, and the calculation in the second if is checked for overflows before proceeding to the allocation using PR_MALLOC(). Similar vulnerabilities were also present in Base64 decoding routine from nsprpub/lib/libc/src/base64.c.

actually, in the majority of situations, the bug wouldn’t trigger just because it surpasses userland’s linear address limits (you need a string ~0xC0000000 long to wrap to zero). Not sure what are the normal limits for a process/thread in x64.

You are all correct, I was not able to trigger it. Doing so is theoretically possibly but would require a 64bit.

The only interesting thing not mentioned here is if you could trigger it exploitation would be easy. The base64 decode routine ignores invalid base64 values, allowing an attacker to control the exact amount of overflow.